The significant threat lies in the ease of access to these resources. The deep specialization of cybercriminal groups and the automation of processes allow for a substantial increase in the scale of attacks with minimal human intervention. Modern cyberattacks have become available for order through Telegram bots, which do not require users to have special technical skills.
The complexity of countering such platforms is exacerbated by multi-level access systems and social structures. Newcomers see only limited information, and accessing closed sections requires a months-long adaptation process and earning the trust of veterans. This necessitates a shift for information security specialists from technical analysis to studying the behavior and social connections of participants.
A study by Positive Technologies showed that closed forums in the darknet have become high-tech ecosystems with complex economies and protection systems in recent years. Data analysis from shadow forums, information from law enforcement agencies, and monitoring of hacktivist Telegram channels confirmed that modern underground platforms are no longer just places for information exchange, but full-fledged shadow service markets, making cyberattacks mass-produced and accessible to businesses.
Previously, underground communities used simple forums like phpBB, but today they create distributed systems with multi-level architectures that can compete with legal services in terms of security. This leads to the continuous evolution of forums based on the principle of natural selection: when law enforcement shuts down one platform, a new one emerges in its place, taking past mistakes into account. This creates a kind of arms race between cybercriminals and their opponents.
Modern platforms are characterized by hybrid architecture. Forums are moving away from ready-made solutions and transitioning to their own platforms. For example, the well-known English-language forum Dread was developed from scratch specifically for operation in the Tor network, making it more resistant to hacking. This requires law enforcement to constantly study the unique architectures of such resources.
Forums exist in several places simultaneously: they have hidden servers in the Tor network, regular websites on the open internet, and numerous mirrors. If one domain is blocked, users quickly switch to another. Administrators pre-publish new links in Telegram channels or use backup communication channels, significantly increasing resilience to blocks.
Protection against bots and scanners has also reached a new level. Forums use complex CAPTCHAs, JavaScript tasks, limit request speeds, and add hidden tags in HTML code to track information copying. In case of suspicious activity, such as viewing hundreds of pages per minute, users are quickly blocked or forced to undergo verification again.
An interesting feature is the multi-level access system. Newcomers have access only to limited information, and to access closed sections, they must earn a reputation, complete several transactions, and receive recommendations from more experienced participants. This complicates the work of both law enforcement and security researchers, who have to spend a long time adapting to their roles.
The economy of these forums has reached the level of a full-fledged industry. Most platforms are equipped with guarantor systems for secure transactions, internal cryptocurrency wallets, and automated payments. Some forums have special sections for arbitration and escrow services with fees. Bitcoin remains the primary currency, but for large transactions, Monero is increasingly used due to its anonymity, allowing forums to profit from commissions, the sale of VIP statuses, and paid access to exclusive sections. On large platforms, users' internal accounts can reach hundreds of thousands of dollars in cryptocurrency.
The Economic Model of Shadow Forums
The danger lies in the service model developed by these forums. The ease of access to ready-made solutions—from exploits to botnet rentals—allows attackers to scale their attacks while minimizing personal involvement. Complex cyberattacks have become a commodity, significantly reducing the skills required to carry them out. The deep specialization of cybercriminal groups and the automation of processes make the threat relevant for companies of any size.
Many forums are integrated with Telegram and have their own bots for automating processes. Through such bots, transactions can be conducted, notifications about new messages can be received, or even purchases can be made without entering the forum itself, creating an ecosystem that blurs the boundaries between different platforms.
Forum administrators strictly adhere to security rules. They avoid direct access to servers, using chains of VPNs and Tor, work through intermediary computers, and diligently avoid actions that could reveal their identity. Mistakes, such as those made by the creator of Silk Road, who used personal email, can lead to serious consequences.
Interestingly, the community itself also serves as an additional level of protection. Regular forum participants quickly respond to strange behavior from newcomers and can recognize an infiltrated agent by their manner of communication or inappropriate questions. For example, after the arrest of the administrator of the well-known forum XSS, its moderators suspected that the platform had come under law enforcement control and created a new forum, DamageLib.
No forum exists forever. Sooner or later, they are shut down by law enforcement, hacked by competitors, or fall apart due to internal conflicts. However, communities do not disappear—they migrate to new platforms. Administrators prepare backup servers in advance, save database backups, and maintain spare communication channels. When the main site goes down, a new address appears within a day, allowing users to quickly switch.
There is even a new trend—creating temporary forums that operate for just a few months and then are intentionally closed. While the platform is young, law enforcement cannot infiltrate, and administrators avoid leaving traces. After closure, the same team soon opens a new forum and invites verified participants.
Researchers predict that in the future, forums will become even more distributed and automated. Active use of artificial intelligence for moderation and verification of participants, decentralized data storage systems, and integration with various messengers is expected. Elite communities will become even more closed, and temporary forums will become commonplace.
The main conclusion of the study is that underground forums have transformed from a chaotic phenomenon into dynamically developing platforms with their own rules, economy, and social structure. The technical and organizational resilience of these platforms significantly complicates counteraction against them, making the understanding of the shadow market essential for proactive protection capable of anticipating threats and quickly responding to changes.
